Owner

Current status

Detailed Description

Most OTP solutions for two-factor authentication require some kind of storage backend for counters or other volatile data.
Early implementations work with flat files on a single host. dynalogin was created to bring stability and flexibility,
storing counters in just about any type of database. Other solutions such as totp-cgi have similar goals (although it only mentions
Postgres support, whereas dynalogin can use MySQL thanks to UNIXODBC). dynalogin has been successfully integrated with
the SimpleID provider for OpenID authentication.

Benefit to Fedora

Users will have a self contained solution for two-factor authentication without relying on external parties such as RSA.

Scope

Adding dynalogin and SimpleID packages. Additional upstream development work on dynalogin to interface with LDAP, PAM and maybe RADIUS.

How To Test

Ideally, testing will be done with a real token (maybe a dynalogin soft-token on Android). There is also a command line token simulator utility that can be used in testing.

Testing should demonstrate that

an authorised user can log in to more than one service on more than one host,

that the HOTP algorithm counter is correctly maintained no matter which host the user logs in to,

it should work with the popular soft tokens `dynalogin' and `Google Authenticator' for Android

it should be possible to block an account and the user will immediately be denied any further login (until unblocked)

User Experience

The end user can conveniently use common soft tokens like `dynalogin' and `Google Authenticator' for Android

Dependencies

SimpleID and dynalogin do not depend on each other, but they do work well together.

dynalogin depends on the oath-toolkit

Contingency Plan

These are new packages and have no impact on unrelated packages or the system as a whole if they are not ready on time.